Git hooks is a tool to help keep your repository in order. You can configure automatic rules for processing your commits.


You all probably know about pre-commit - checking your code before committing. But not everything can be verified before committing. Some limitations I want to be used globally throughout Gitlab.


Who got confused in pre-commit and pre-receive hooks, in this post describes the differences between them in the paragraph "What are git hooks?".


If you have Gitlab Enterprise Edition, you can configure the hooks described in the post via the WEB interface.


But what if you have the Gitlab Community (Core) Edition?


This article will describe 5 pre-receive hooks that run on the Gitlab Community (Core) Edition server:


  • block_confidentials.sh - Blocking the sending of private keys and AWS tokens
  • block_file_extensions.sh - Block sending archives (Regex is customizable)
  • check-large-files.sh - Block sending of large files (Size is customizable)
  • reject-not-allowlist-email.sh - Blocking commits with email not from the allow list (Email domain list is configurable)
  • require-issue.sh - Block commits without issue in the title (the issue list is customizable)

Basically, the hooks were taken from the platform-samples repository in the pre-receive- directory hooks (applies to GitHub Enterprise).


You can view all of the server hook source code on Github .


Installation on Gitlab


  • Create directory CDMY0CDMY
  • Copy hooks to this directory
  • Don't forget to set launch rights for hooks (chmod + x hook file)

Blocking the sending of private keys and AWS tokens


In the file block_confidentials.sh, we set up the regex_list, which describes confidential information.


# Define list of REGEX to be searched and blocked regex_list=( # block any private key file '(\-){5}BEGIN\s?(RSA|OPENSSH|DSA|EC|PGP)?\s?PRIVATE KEY\s?(BLOCK)?(\-){5}.*' # block AWS API Keys 'AKIA[0-9A-Z]{16}' # block AWS Secret Access Key (TODO: adjust to not find validd Git SHA1s; false positives) # '([^A-Za-z0-9/+=])?([A-Za-z0-9/+=]{40})([^A-Za-z0-9/+=])?' # block confidential content 'CONFIDENTIAL' ) 

Add the private key to the repository, commit, and get an error with CDMY1CDMY.


ITKarma picture


Block sending archives


In the file block_file_extensions.sh, configure case CDMY2CDMY, which specifies the file extensions that will be blocked.


Add the zip archive to the repository, commit, and get an error with CDMY3CDMY.


ITKarma picture


Block sending large files


In the check-large-files.sh file, we configure the CDMY4CDMY parameter, which indicates the file size in megabytes, above which the sending will be blocked.


Add a file more than 1 megabyte to the repository, commit, and get an error with CDMY5CDMY.


ITKarma picture


Blocking commits from email not from the allow list


In the reject-not-allowlist-email.sh file, configure the list of email domains for which commits are allowed.


declare -a DOMAIN_ARRAY=("group1.com" "group2.com") 

Change the mail in git to one that is not in the allowed list.


git config user.email user1@group3.com 

Add any file to the repository, commit, and get an error with CDMY6CDMY.


ITKarma picture


Block commits without issue in the title


This server hook was taken from the Majilesh blog.


In the require-issue file.sh configure the commit_format list for which commits are allowed.


commit_format="(JIRA|PROJECTKEY|MULE|ECOM|SAP|XLR-[1-9]+Merge)" 

We add any file to the repository, make a commit, the name of which does not contain words from commit_format, and we get an error with CDMY7CDMY.


ITKarma picture


I hope that my post will encourage the community to develop server hooks.


Telegram chat on Gitlab

.

Source